On December 9, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with the FBI, NSA, Department of Energy, and EPA warning about an active campaign targeting American critical infrastructure. Four pro-Russia hacktivist groups—Cyber Army of Russia Reborn, NoName057(16), Z-Pentest, and Sector16—are exploiting a surprisingly simple vulnerability to attack water treatment facilities, energy systems, and food production plants: unsecured remote access connections.

Here's what makes this threat different, why it matters, and what you can do to protect your organization.

---

What You Need to Know

Pro-Russia hacktivist groups are actively targeting US critical infrastructure by exploiting internet-facing Virtual Network Computing (VNC) remote access systems. Think of VNC as a way to control a computer remotely—like looking at someone else's screen and using their mouse and keyboard from across the internet. When these systems are left exposed to the public internet with weak passwords or default settings, attackers can simply connect and take control of industrial equipment.

Unlike sophisticated nation-state cyberattacks that make headlines, these hackers aren't using advanced malware or zero-day exploits. Instead, they're scanning the internet for exposed systems, trying common passwords like "admin" or "password," and walking right through unlocked digital doors. Yet despite this relatively low technical sophistication, CISA confirms these attacks have caused "varying degrees of impact, including physical damage" to operational technology systems.

If your organization operates critical infrastructure with internet-accessible control systems, you're at immediate risk. The good news? The fixes are straightforward—but they need to happen now.

---

The Technical Details

Let's break down what's actually happening in these attacks.

How the Attack Works

Step 1: Finding Targets

The attackers use tools like Shodan (a search engine for internet-connected devices) to scan for exposed VNC services. VNC typically runs on TCP port 5900, and when these ports are directly accessible from the internet, they become visible targets. Think of it like leaving your house with the front door not just unlocked, but wide open and visible from the street—anyone can see it's open and walk right in.

# Attackers search for exposed systems with queries like:
# "port:5900 country:US" on Shodan
# This reveals thousands of potentially vulnerable systems

Step 2: Getting Inside

Once they find an exposed VNC service, attackers attempt to authenticate using:

• Default vendor credentials (like "admin/admin" or "operator/operator")
• Blank passwords (surprisingly common in industrial systems)
• Brute-force attacks with lists of common passwords
• Previously leaked credentials from other breaches

Many operational technology (OT) systems were designed decades ago, before internet connectivity was common. They often ship with default passwords that operators never change, especially when the focus is on keeping production running rather than cybersecurity.

Step 3: Taking Control

When a VNC connection succeeds, the attacker gets full graphical access to the control system—the same view a legitimate operator would see. From there, they can:

• Open SCADA (Supervisory Control and Data Acquisition) software that monitors and controls physical processes
• Change setpoints that control pressure, temperature, flow rates, or chemical dosing
• Disable safety alarms that would normally alert operators to dangerous conditions
• Issue commands to pumps, motors, valves, and other field equipment
• Access engineering tools to modify the logic that controls automated processes

Step 4: Causing Damage

The impact depends on which systems get compromised:

• Water treatment facilities: Attackers could alter chemical dosing (too much chlorine could create dangerous conditions, too little could leave water unsafe), shut down pumps, or disable monitoring systems.
• Energy systems: Compromised oil well controls could damage equipment through over-pressurization, or SCADA systems could be disrupted to cause operational downtime.
• Food production: Control systems for pasteurization, refrigeration, or food safety processes could be manipulated, potentially leading to contamination or spoilage.

Why This Approach Works

The VNC protocol itself isn't necessarily insecure—the problem is deployment. When VNC services are exposed directly to the internet without proper protection, and especially when authentication is weak or absent, they become low-hanging fruit for attackers. Unlike IT systems that typically have multiple layers of security, many OT networks were designed for isolated, air-gapped environments and lack the security controls we take for granted in modern networks.

---

The Severity Score: Why This Rates as "High"

While there's no specific CVE (Common Vulnerabilities and Exposures) number for this threat—because it's not a software vulnerability but rather a configuration problem—the risk is substantial:

• Attack Vector: Network – Attackers can reach vulnerable systems from anywhere on the internet
• Attack Complexity: Low – No special skills or tools required beyond freely available software
• Privileges Required: None – Attackers don't need any existing access or credentials (if systems have weak/no passwords)
• User Interaction: None – The attack is fully automated; no one needs to click a malicious link
• Scope: Changed – A compromised control system can affect physical infrastructure beyond the initial digital breach
• Impact: High – Physical damage to equipment, operational disruption, and potential safety incidents

If this were assigned a CVSS (Common Vulnerability Scoring System) score, it would likely be in the 8.0-9.0 range—"High" to "Critical."

---

Who's Behind These Attacks

Let's meet the threat actors CISA has identified, and understand what motivates them.

Cyber Army of Russia Reborn (CARR)

Cyber Army of Russia Reborn emerged in early March 2022, shortly after Russia's invasion of Ukraine. Despite the "hacktivist" label, this group likely receives support from Russian military intelligence—specifically, the GRU's Main Center for Special Technologies (unit 74455), the same group behind sophisticated attacks on Ukraine's power grid in 2015-2016.

In January 2024, CARR claimed responsibility for compromising water systems in Abernathy and Muleshoe, Texas, causing water tank overflows. The US Treasury Department took these threats seriously enough to sanction two CARR members in July 2024: Yuliya Vladimirovna Pankratova (the group's leader) and Denis Olegovich Degtyarenko (identified as the primary hacker).

What makes CARR notable is their evolution from typical hacktivist tactics (website defacements, data leaks) to targeting physical infrastructure with real-world consequences.

NoName057(16)

NoName057(16) launched in March 2022 as a pro-Russia hacktivist collective focused on DDoS (Distributed Denial of Service) attacks. They even developed their own DDoS tool called "DDoSia." Between March 2022 and June 2025, the group conducted over 1,500 attacks targeting more than 3,700 unique hosts—primarily government agencies in European nations supporting Ukraine.

In 2024, NoName057(16) expanded their operations from network-layer disruption to operational technology attacks, demonstrating the concerning trend of hacktivists moving from digital nuisances to physical threats. In July 2025, Europol conducted "Operation Eastwood" specifically targeting this group, though their activities continue.

Z-Pentest

Z-Pentest was established in September 2024 by members from CARR and NoName057(16). The group specializes in OT intrusion operations and explicitly avoids DDoS activities, focusing instead on gaining direct access to industrial control systems. They've developed hack-and-leak operations, where they compromise systems, gather evidence of their intrusion (often screenshots of control panels), and publicize the attacks on Telegram channels and pro-Russia social media.

The group's emphasis on "pentest" (penetration testing) in their name is somewhat ironic—while they portray themselves as exposing security weaknesses, their actions go far beyond responsible disclosure, causing real operational disruption and damage.

Sector16

Sector16 is the newest of the four groups, formed in January 2025 through collaboration with Z-Pentest. They maintain an active presence on Telegram where they publicize their attacks and coordinate with other pro-Russia hacktivist collectives. Less is publicly known about Sector16's specific capabilities compared to the older groups, but CISA's inclusion of them in the advisory indicates active, confirmed operations against critical infrastructure.

What Unites These Groups

All four groups share several characteristics:

Low-to-Medium Sophistication: These aren't elite hackers developing custom malware or exploiting unknown vulnerabilities. They rely on existing tools, publicly available scanners, and common password lists. What they lack in sophistication, they make up for in persistence and opportunism.

Geopolitical Motivation: All four groups explicitly support Russian state interests and frame their attacks as retaliation against nations supporting Ukraine. Their target selection aligns with Russian foreign policy objectives, even if they operate independently of direct state control.

Propaganda Amplification: These groups don't conduct stealthy, long-term operations like traditional nation-state APT (Advanced Persistent Threat) groups. Instead, they publicize their attacks immediately, often exaggerating the impact for psychological effect. The goal is to undermine public confidence in Western critical infrastructure protection.

Physical Impact Capability: Despite their relatively low technical sophistication, CISA confirms these groups have caused physical damage to infrastructure systems. This represents a dangerous evolution in hacktivist tactics—moving from digital inconvenience to real-world consequences.

---

Why This Matters: The Business and Safety Impact

If you're a system administrator, you're thinking about firewall rules and authentication protocols. If you're a business executive, you're wondering about financial risk and compliance. Let's address both perspectives.

The Financial Risk

Let's talk numbers. If one of these attacks succeeds against your organization, here's what you're looking at:

Immediate Operational Costs:

• Downtime: Energy sector OT incidents average $2-5 million per event, with recovery taking 3-14 days
• Water utilities: $150,000-$800,000 per day for emergency response and alternative service provision
• Food/agriculture: $1.2 million average for production line disruption, plus potential spoilage losses
• Physical damage: $100,000 to $10 million+ for equipment replacement, with delivery lead times of 6-18 months for specialized industrial hardware

Regulatory Consequences:

Here's where things get expensive fast:

• NERC CIP violations (energy sector): Up to $1 million per day for critical infrastructure protection violations. In 2024, NERC increased enforcement by 20%, and the largest single penalty ever levied was $10 million.
• EPA Safe Drinking Water Act (water utilities): Up to $69,733 per day per violation (2024 inflation-adjusted figure). Many facilities assume this is still $25,000 per day from older guidance—it's not.
• TSA Security Directives (pipeline operators): $500,000 per violation plus potential shutdown orders
• CISA CIRCIA (all critical infrastructure): The Cyber Incident Reporting for Critical Infrastructure Act requires 72-hour reporting for substantial incidents and 24-hour reporting for ransomware payments. While the final rule isn't expected until May 2026, once enforcement begins, late reporting will trigger penalties and potentially congressional testimony for major incidents.

Long-Term Business Impact:

• Insurance: Cyber insurance premiums for critical infrastructure are increasing 25-50% annually, and after an incident, expect a 20-40% hike
• Reputation: Customer confidence in utilities drops significantly after security incidents—water utilities see average 35% drops in consumer confidence surveys following publicized breaches
• Competitive damage: Enterprise customers (data centers, hospitals, manufacturers) diversify away from providers with demonstrated security weaknesses

Total Estimated Impact: $3 million to $50 million+ per incident

Cost to Prevent: $500,000 to $1.3 million for emergency remediation; $850,000 to $2.6 million annually for sustained OT security programs

Return on Investment: 1.5 to 3.5-year payback period

Here's the math: If you have exposed OT assets and active scanning by motivated adversaries, your probability of exploitation is approximately 25% annually. At a mid-range incident cost of $10 million, your expected annual loss is $2.5 million. Investing $1-2 million in proper security controls eliminates 80-95% of that risk, reducing your expected loss to $250,000 annually—a savings of $2.25 million per year.

This isn't a discretionary IT expense. This is operational resilience and financial risk management.

The Safety Implications

Beyond financial costs, compromised OT systems can create genuine safety hazards:

Water Treatment Facilities: The 2021 incident at Oldsmar, Florida's water treatment plant is often cited as an example. An attacker briefly increased sodium hydroxide (lye) levels from 100 parts per million to 11,100 ppm—enough to cause serious harm if consumed. An operator noticed immediately and reversed the change, preventing any public health impact. (Note: In April 2023, officials revealed the FBI concluded this incident was likely employee error rather than an external cyberattack, though the incident nonetheless highlighted vulnerabilities in water system controls and prompted nationwide attention to OT security.)

Energy Systems: Over-pressurizing oil well systems or disabling safety interlocks on electrical equipment can lead to equipment failures, fires, or explosions. Environmental consequences from oil spills can range from $10 million to $50 million+ in cleanup costs.

Food Production: Compromising pasteurization or refrigeration controls could lead to bacterial contamination, triggering recalls costing $10 million+, FDA consent decrees, and potential facility closures.

Historical Context: Why This Time Is Different

You might be thinking, "We've heard warnings about infrastructure attacks before—how is this different?"

Colonial Pipeline (2021): The DarkSide ransomware attack forced a shutdown that caused East Coast fuel shortages. CEO Joseph Blount testified before Congress about the decision to pay a $4.4 million ransom (the DOJ later recovered approximately $2.3 million). Note: contrary to some reports, there was no "stock price drop" because Colonial Pipeline is a privately held company, not publicly traded. However, the incident demonstrated how digital attacks on OT systems create physical-world consequences—gas stations ran dry, prices spiked, and panic buying ensued.

Ukraine Power Grid (2015-2016): Russian APT group "Sandworm" (GRU Unit 74455) conducted sophisticated attacks using BlackEnergy 3 malware (2015) and Industroyer/Crashoverride malware (2016), cutting power to hundreds of thousands of consumers. These attacks were highly sophisticated, state-sponsored operations involving custom malware designed specifically to target industrial control systems. They demonstrated that cyberattacks could literally turn off the lights.

The Current Threat Is Different:

Unlike those sophisticated nation-state operations, today's pro-Russia hacktivist attacks require no advanced skills. They're not developing custom malware—they're just trying passwords on exposed systems. Yet they're still causing physical damage because so many critical infrastructure operators have basic security gaps.

If nation-state attacks are like master burglars picking high-security locks, hacktivist attacks are like thieves checking which doors are unlocked. The problem is, too many doors are unlocked.

---

What's Happening in the Wild Right Now

Here's the current threat landscape based on CISA's assessment and open-source intelligence:

Scale of Exposure:

• Approximately 73,000+ VNC instances are exposed on the internet globally (according to Shodan scanning data from 2025)
• An estimated 12,000+ of these are in US critical infrastructure sectors
• Nearly half of ICS (Industrial Control Systems) incidents originate from internet-accessible devices and remote services (SANS 2024 State of ICS/OT Cybersecurity Report)

Active Campaigns:
These attacks are happening right now. CISA issued their advisory because of confirmed, ongoing exploitation—not a theoretical threat. The groups are actively scanning for vulnerable systems, exploiting them when found, and publicizing their successes on Telegram channels and Russian social media.

How Attacks Unfold:

1. Mass scanning: Attackers scan public IP ranges for exposed VNC ports (5900-5906)
2. Credential attacks: Automated brute-forcing with common password lists
3. Initial access: Successful authentication to Windows-based HMI or SCADA workstation
4. Reconnaissance: Enumerate connected industrial devices, take screenshots of control panels
5. Impact: Modify control parameters, issue unauthorized commands to equipment
6. Propaganda: Publicize the attack with screenshots as "proof" to amplify psychological impact

Target Selection:
The advisory describes the approach as "opportunistic" with "superficial targeting criteria based on victim availability." In plain terms: they're attacking whatever they find, not conducting careful reconnaissance on specific high-value targets. This means even smaller utilities, regional energy providers, and local food processors are at risk—not just major national infrastructure.

---

How to Protect Yourself

Let's walk through the remediation steps, starting with immediate actions you can take today and building toward long-term architectural improvements.

Immediate Actions (Do This in the Next 48 Hours)

1. Identify Your Exposure

Before you can protect your systems, you need to know what's exposed. Here's how to find out:

# From an external network (NOT from inside your network), scan your public IP ranges
# to see if VNC ports are accessible:
nmap -Pn -p 5900,5800-5809 [your_public_ip_range] -oG vnc_scan.txt

# Review the results for open VNC ports:
grep "5900/open" vnc_scan.txt

What the output means:

• "5900/open" = Your VNC service is accessible from the internet—this is bad and needs immediate action
• "5900/filtered" = Your firewall is blocking access—this is good
• "5900/closed" = The port is reachable but no service is listening—this is acceptable but not ideal (still exposes your network perimeter)

Why this matters: If external attackers can reach your VNC services, they're already scanning them. This isn't a future threat—it's happening now.

2. Block External VNC Access Immediately

If you discovered exposed VNC services, block them at your firewall right now:

# For Linux-based firewalls (iptables):
iptables -I INPUT -p tcp --dport 5900 -j DROP
iptables -I INPUT -p tcp --dport 5800:5900 -j DROP
iptables-save > /etc/iptables/rules.v4

Why this works: This firewall rule drops all inbound traffic to VNC ports before it reaches your systems. Think of it like locking a door that was previously wide open—simple, but immediately effective.

For Cisco ASA firewalls:

access-list outside_in deny tcp any any eq 5900 log
access-list outside_in deny tcp any any range 5800 5900 log

Caution: If operators currently access these systems remotely via VNC directly from the internet, this will break their access. That's intentional—we'll provide a secure alternative in the next step. Coordinate with your operations team about the timing, but don't delay this action unnecessarily. The risk of compromise outweighs the temporary inconvenience.

3. Audit Active VNC Sessions

Check whether unauthorized sessions are already active:

# On Linux systems:
netstat -tulpn | grep :5900
ps aux | grep vnc

# On Windows systems:
netstat -ano | findstr :5900

If you see active VNC connections from unknown IP addresses, you may already be compromised. In that case:

1. Document the connections (source IP, time, port) for investigation
2. Terminate the sessions immediately
3. Follow your incident response plan
4. Contact CISA at ics-cert@cisa.dhs.gov and your local FBI field office

4. Change All VNC Passwords

Assume that if your VNC services were internet-accessible with weak passwords, credentials may have been compromised:

# On Linux VNC servers:
vncpasswd

# Use a strong password:
# - 16+ characters
# - Mix of uppercase, lowercase, numbers, symbols
# - Not based on dictionary words
# - Not reused from other systems

Why this matters: Even after blocking external access, if an attacker previously gained credentials, they might still have other access paths. Rotating passwords closes that gap.

---

Short-Term Actions (Complete Within 2 Weeks)

1. Implement Secure Remote Access

Operators still need to access these systems remotely for legitimate purposes. Here's the right way to do it:

Option A: VPN with Multi-Factor Authentication

Instead of exposing VNC directly to the internet, require remote users to connect through a VPN first:

[Internet] → [VPN Gateway with MFA] → [Internal Network] → [VNC on OT Systems]

Why this is better: The VPN gateway becomes your security checkpoint. Even if someone has a password, they can't connect without also providing a second factor (a code from their phone, a hardware token, etc.). This stops 99% of credential-based attacks.

Implementation steps:

1. Deploy a VPN solution (WireGuard, OpenVPN, Cisco AnyConnect, etc.)
2. Configure it to require MFA (TOTP apps like Duo or Google Authenticator, or hardware tokens like YubiKey)
3. Create VPN accounts only for authorized OT operators
4. Configure the VPN to only allow access to OT network segments (not your entire network)
5. Log all VPN sessions with timestamps, source IPs, and user accounts

Option B: Jump Host/Bastion Server

A jump host is a hardened server that sits between the internet and your OT network:

[Internet] → [Jump Host in DMZ] → [OT Network]
            (MFA required)
            (Session recording)
            (IP whitelisting)

Users SSH to the jump host, then from there they can access VNC on internal OT systems:

# User connects to jump host first:
ssh ot-operator@jumphost.example.com
# (MFA prompt appears here)

# From jump host, tunnel VNC connection to internal HMI:
ssh -L 5900:ot-hmi-internal:5900 localhost

# In a new terminal on their laptop, connect VNC through the tunnel:
vncviewer localhost:5900

Why this is better: Every remote access goes through a single, heavily monitored checkpoint. You can implement session recording (so you have a video of everything remote users do), IP whitelisting (only certain source addresses can even reach the jump host), and detailed logging.

2. Network Segmentation

Your OT network should not be flat with your IT network or connected directly to the internet. Implement the Purdue Model for industrial network architecture:

Level 5: Enterprise Network (IT systems - email, file shares, business apps)
    ↓ [Firewall with strict rules]
Level 3.5: DMZ (data historians, jump hosts - where IT and OT meet)
    ↓ [Firewall with very strict rules]
Level 3: Operations Network (SCADA servers, engineering workstations)
    ↓ [Firewall allowing only necessary protocols]
Level 2: Control Network (HMIs, operator terminals)
    ↓ [Firewall with whitelist-only rules]
Level 1: Field Network (PLCs, RTUs, field controllers)
    ↓
Level 0: Physical Process (sensors, actuators, the actual equipment)

What this means in practice:

• Internet traffic cannot directly reach OT devices (goes through multiple firewalls)
• Compromised IT systems (email infections, phishing) can't easily pivot to OT
• Each level has its own security controls and monitoring
• Attackers who breach one level face new barriers at each subsequent level

Example firewall rule between levels:

# Allow only specific SCADA protocols between levels, nothing else:
permit tcp host 10.100.10.50 host 10.100.20.10 eq 502  # Modbus TCP
permit tcp host 10.100.10.50 host 10.100.20.10 eq 4840  # OPC UA
deny tcp any any eq 5900 log  # Explicitly block VNC between levels
deny ip any any log  # Default deny everything else

Why this works: Defense in depth. If one control fails, others are still in place. Segmentation limits the "blast radius" of a breach.

3. Enable Enhanced Authentication

Move beyond simple VNC passwords:

Configure VNC to require TLS encryption:

vncserver -SecurityTypes TLSVnc -X509Cert /etc/vnc/server-cert.pem -X509Key /etc/vnc/server-key.pem

Why this matters: TLS encryption prevents eavesdropping on VNC sessions. Without encryption, passwords and screen contents travel across the network in forms that can be intercepted.

Integrate VNC with OS authentication:
Instead of a separate VNC password, require users to authenticate with their Windows/Linux account:

vncserver -SystemAuth=yes -UseVncAuth=no

Why this is better: Now you can leverage your existing user management, password policies, and account lockout settings. When an employee leaves, disabling their account automatically revokes their VNC access.

4. Deploy Monitoring and Alerting

Even with improved security controls, you need to detect if attacks are still occurring:

Firewall log monitoring (Splunk query example):

index=firewall_logs dest_port IN (5900,5901,5902,5903,5904,5905,5906)
| where src_ip NOT IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
| stats count by src_ip, dest_ip, dest_port
| where count > 5
| sort -count

What this detects: External IP addresses (not from your internal networks) attempting to connect to VNC ports multiple times. This indicates active scanning or attack attempts.

Set up alerts:

• Alert when external IPs attempt to connect to VNC ports (even if blocked)
• Alert when VNC authentication fails multiple times from the same source (brute-force attempt)
• Alert when VNC sessions are established during off-hours
• Alert when OT configuration changes occur from remote sessions

Send alerts to your Security Operations Center (SOC) or to on-call personnel who can investigate and respond.

---

Long-Term Remediation (Complete Within 3-12 Months)

1. Comprehensive OT Asset Inventory

You can't protect what you don't know exists. Many critical infrastructure operators don't have complete visibility into their OT environments:

Create an inventory documenting:

• Every OT device (PLCs, HMIs, SCADA servers, RTUs, industrial switches)
• Network location and IP address
• Vendor, model, firmware version
• Remote access methods (VNC, RDP, SSH, web interface)
• Which physical processes each device controls
• Criticality level (what happens if this device fails?)

Tools for OT asset discovery:

• Passive network monitoring (Nozomi Networks, Claroty, Dragos) - preferred for OT because it doesn't risk disrupting sensitive systems
• Active scanning (Nmap with ICS-specific scripts) - use cautiously and only during maintenance windows

2. Vulnerability Management for OT

Unlike IT systems, you can't just automatically patch OT devices. Equipment is often running 24/7, patches might not exist for older hardware, and changes require coordination with operations teams and sometimes equipment vendors.

Establish a process:

1. Subscribe to ICS-CERT advisories (https://www.cisa.gov/uscert/ics/advisories)
2. Track vulnerabilities affecting your specific OT devices
3. Assess risk based on exposure, exploitability, and operational impact
4. Coordinate patching with scheduled maintenance windows
5. Test patches in non-production environments first
6. Document all changes for audit purposes

3. Incident Response Planning

Hope for the best, prepare for the worst. Have a documented plan for responding to OT cyber incidents:

Your plan should include:

• Roles: Who's in charge during an incident? OT engineer, CISO, plant manager, legal counsel?
• Decision trees: Under what circumstances do we shut down processes? When do we report to regulators?
• Contact information: CISA ICS-CERT (ics-cert@cisa.dhs.gov), FBI local field office, your cyber insurance provider, equipment vendors
• Isolation procedures: How do we segment a compromised OT network without disrupting safe operations?
• Communication protocols: Who informs customers? How do we coordinate with public relations and legal teams?
• Recovery procedures: Where are offline backups of SCADA configurations and PLC logic stored? How do we restore them?

Test your plan: Conduct tabletop exercises quarterly where your incident response team walks through realistic scenarios. "An operator notices unauthorized changes to chemical dosing setpoints at 2am on a Saturday. What do you do?"

4. Workforce Training

Your OT operators need basic cybersecurity awareness, and your IT security team needs basic OT knowledge:

For OT staff:

• Recognize phishing attempts (many OT compromises start with spear-phishing of operators)
• Understand why default passwords are dangerous
• Know who to contact if they see unusual system behavior
• Basic access control principles (don't share accounts, lock workstations)

For IT/security staff:

• Understand OT protocols (Modbus, DNP3, OPC) and how they differ from IT protocols
• Learn constraints of OT environments (can't reboot a system controlling a 24/7 process)
• Appreciate safety implications of security decisions

Training resources:

• SANS ICS410 (ICS/SCADA Security Essentials) and ICS515 (ICS Active Defense and Incident Response)
• Vendor-specific training for your SCADA platform
• Sector-specific ISACs (E-ISAC for energy, WaterISAC for water utilities, Food & Ag-ISAC)

---

If You Can't Make Changes Immediately

Some organizations face constraints—budget limitations, operational dependencies, vendor support agreements that restrict changes. If you absolutely cannot implement the full remediation immediately, here are temporary risk reduction measures:

Temporary Workaround 1: IP Whitelisting

If you must keep VNC exposed, at least restrict who can access it:

# Allow VNC only from specific trusted IP addresses:
iptables -A INPUT -p tcp --dport 5900 -s 203.0.113.45 -j ACCEPT  # Trusted operator 1
iptables -A INPUT -p tcp --dport 5900 -s 203.0.113.46 -j ACCEPT  # Trusted operator 2
iptables -A INPUT -p tcp --dport 5900 -j DROP  # Block everyone else

Why this helps (but isn't sufficient): Limits the attack surface to only a few IP addresses instead of the entire internet. However, if those trusted IPs are compromised, or if an attacker spoofs the IP address, this protection fails.

Temporary Workaround 2: Port Knocking

Require a secret "knock" sequence before the VNC port even appears open:

# Install port knocking daemon:
apt-get install knockd

# Configure a secret knock sequence (example: connect to ports 7000, 8000, 9000 in sequence)
# Only after receiving the correct knock does the firewall allow VNC access

Why this helps (but isn't sufficient): Adds obscurity—attackers scanning port 5900 won't find it open unless they know the secret knock sequence. However, security through obscurity is not a substitute for real authentication and encryption.

Temporary Workaround 3: Session Timeouts

Configure aggressive timeouts so idle VNC sessions disconnect:

# VNC idle timeout (10 minutes):
vncserver -IdleTimeout 600

Why this helps: Limits the window of opportunity if credentials are compromised. An attacker who gains access would get disconnected quickly if not actively using the session.

Important: These are temporary risk reduction measures, not solutions. Think of them as locking your car doors while you figure out how to park it in a garage. Better than nothing, but not where you want to stay long-term.

---

Detection: How to Know If You've Been Compromised

Even with protections in place, you should monitor for signs of attack or compromise.

Network-Based Detection

Snort Rule (open-source IDS):

alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (
  msg:"VNC Access from Internet to OT Network";
  flow:to_server,established;
  classtype:policy-violation;
  sid:1000010; rev:1;
)

What this detects: Any VNC connection from external networks to your OT network. Since you've now implemented controls that should prevent this, any match on this rule indicates either a misconfiguration or an active attack.

Suricata Rule (detecting VNC protocol handshake):

alert tcp any any -> $OT_NETWORK [5800:5900] (
  msg:"VNC RFB Protocol Handshake to OT Segment";
  flow:to_server,established;
  content:"RFB "; depth:4;
  classtype:protocol-command-decode;
  sid:1000011; rev:1;
)

What this detects: The actual VNC protocol negotiation, not just port access. This catches VNC traffic even on non-standard ports.

Log-Based Detection

Check VNC server logs for authentication failures:

# Linux systems:
grep "authentication failed" /var/log/vnc/*.log | awk '{print $1}' | sort | uniq -c | sort -rn

# Look for patterns like:
# 47 192.0.2.15  (this IP failed authentication 47 times - brute-force attempt)

Windows Event Log query (PowerShell):

Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VNC Server'} |
  Where-Object {$_.Message -match 'authentication|connection'} |
  Select-Object TimeCreated, Message

What to look for:

• Multiple failed authentication attempts from the same IP (brute-force attack)
• Successful authentications from unexpected geographic locations
• VNC sessions during off-hours (2am on Sunday might be suspicious)
• Connections from IP addresses you don't recognize

SIEM Queries

If you have a Security Information and Event Management (SIEM) system, add these correlation rules:

Splunk query for suspicious VNC access:

index=firewall (dest_port=5900 OR dest_port=5800 OR dest_port=5801)
src_zone=untrust dest_zone=OT action=allow
| stats count by src_ip, dest_ip, dest_port
| where count > 3

What this finds: External sources (untrust zone) that successfully connected to OT systems on VNC ports multiple times. If your controls are properly configured, this should return zero results. Any results indicate either a policy exception that should be reviewed, or a security breach.

Elastic/ELK query:

{
  "query": {
    "bool": {
      "must": [
        {"terms": {"destination.port": [5900, 5800, 5801]}},
        {"term": {"network.direction": "inbound"}},
        {"term": {"event.action": "allowed"}}
      ],
      "must_not": [
        {"terms": {"source.ip": ["10.200.0.0/24"]}}
      ]
    }
  }
}

What this finds: Inbound VNC connections that were allowed, excluding your trusted VPN subnet (10.200.0.0/24 in this example).

---

Understanding the Attacker's Playbook: MITRE ATT&CK Mapping

For security professionals who want to understand these attacks in the context of the MITRE ATT&CK framework (a comprehensive database of adversary tactics and techniques), here's how these VNC-based attacks map:

ICS-Specific Techniques

Tactic	Technique ID	Technique Name	How It Applies
Initial Access	T0883	Internet Accessible Device	Exploit public-facing VNC on OT devices
Initial Access	T0886	Remote Services	VNC authentication bypass or credential brute-force
Execution	T0866	Exploitation of Remote Services	Establish VNC session to control OT systems
Discovery	T0840	Network Connection Enumeration	Identify connected PLCs, RTUs, and field devices
Lateral Movement	T0859	Valid Accounts	Use discovered credentials to access additional systems
Inhibit Response Function	T0800	Modify Parameter	Change setpoints, pressure values, chemical dosing levels
Inhibit Response Function	T0804	Block Reporting Message	Disable alarms or monitoring systems
Impact	T0879	Damage to Property	Physical destruction of equipment via control manipulation
Impact	T0828	Loss of Productivity and Revenue	Disrupt operations (water treatment, energy production)

Why these mappings matter: If you're building detection rules, threat hunting queries, or incident response playbooks, referencing MITRE ATT&CK IDs helps you leverage existing community research. For example, searching for "T0879 detection rules" will find resources from other organizations defending against property damage attacks.

Note: These MITRE ATT&CK mappings are analyst-inferred based on the attack descriptions in the CISA advisory, not explicitly provided by CISA.

---

Compliance and Regulatory Implications

Different sectors have different regulatory frameworks, and this CISA alert creates documentation expectations.

Energy Sector: NERC CIP

If you operate bulk electric system infrastructure, NERC CIP (Critical Infrastructure Protection) standards are mandatory and enforceable:

Relevant standards:

• CIP-005-7 (Electronic Security Perimeters): Requires protection of all Electronic Access Points (EAPs). Internet-facing VNC connections violate perimeter controls.
• CIP-007-7 (Systems Security Management): Mandates access controls on cyber assets. Weak or default VNC passwords violate these requirements.

Consequences:

• Up to $1 million per day per violation (maximum statutory penalty)
• Mandatory reporting to NERC within 1 hour of OT compromise
• NERC audits occur annually; following CISA alerts, expect increased scrutiny of your response

What you should do:

1. Document all actions taken in response to this CISA alert with timestamps
2. Update your Electronic Security Perimeter diagrams to reflect any newly discovered internet-facing assets
3. Review CIP-005 compliance for all remote access points
4. Engage with your regional NERC entity (WECC, SERC, MRO, etc.) proactively

Water Utilities: EPA Safe Drinking Water Act

Under America's Water Infrastructure Act (AWIA), community water systems must conduct risk and resilience assessments including cybersecurity:

Consequences of internet-facing OT vulnerabilities:

• Up to $69,733 per day per violation (2024 inflation-adjusted EPA penalty—note this is significantly higher than the $25,000 figure in older guidance)
• Mandatory public notification if water safety is compromised
• EPA sanitary surveys every 3 years will assess cybersecurity controls

What you should do:

1. Update your risk and resilience assessment to document internet-facing assets and remediation plans
2. Engage with WaterISAC (Water Information Sharing and Analysis Center) for threat intelligence
3. Consider applying for EPA Water Infrastructure Improvements for the Nation (WIIN) Act grants to fund security improvements

Pipeline Operators: TSA Security Directives

The Transportation Security Administration's Security Directive 2021-02D requires pipeline operators to implement network segmentation and access controls:

Consequences:

• $500,000 per violation
• Potential shutdown orders for critical violations
• TSA may conduct emergency inspections following CISA alerts (typically 30-60 day notice)

What you should do:

1. Review compliance with SD 2021-02D isolation requirements
2. Document that internet-facing OT devices have been removed or protected
3. Prepare for potential TSA inspection with documentation of your response to this alert

Food & Agriculture: FDA FSMA

FDA's Food Safety Modernization Act includes an Intentional Adulteration Rule requiring protection against sabotage:

Consequences:

• Compromised industrial controls could contaminate food production
• Product recalls ($10 million+)
• FDA consent decrees
• Facility closures
• Loss of retailer contracts (Walmart, Kroger de-listing can mean 40-60% revenue loss)

What you should do:

1. Inventory PLCs controlling food safety-critical processes (pasteurization, refrigeration, sanitation)
2. Document security controls for these systems
3. Engage with Food & Ag-ISAC for sector-specific threat intelligence

All Critical Infrastructure: CISA CIRCIA

The Cyber Incident Reporting for Critical Infrastructure Act establishes mandatory reporting requirements:

Requirements:

• 72-hour reporting for substantial cyber incidents affecting critical infrastructure
• 24-hour reporting for ransomware payments

Timeline: The final rule is expected in May 2026, with enforcement to follow (note: earlier projections of 2025 enforcement were delayed). However, start preparing now:

1. Establish reporting procedures for CISA notifications
2. Define what constitutes a "substantial incident" in your environment
3. Identify who has authority to submit reports
4. Understand that late reporting will trigger penalties once enforcement begins

Important: Even before CIRCIA enforcement begins, CISA expects critical infrastructure operators to respond to their alerts. Failure to do so and subsequently experiencing an incident could be characterized as "willful negligence" in regulatory proceedings.

---

Sector-Specific Guidance

If You're in Energy

Your unique challenges:

• NERC CIP mandatory compliance with strict timelines
• High media and political attention on grid security
• National security implications

Your priorities:

1. Immediate NERC CIP-005 compliance verification (Electronic Security Perimeters)
2. Document response to CISA alert for audit trail
3. Engage with E-ISAC (Electricity Information Sharing and Analysis Center)
4. Budget $2-5 million for comprehensive CIP compliance if not already done

Cost recovery: Many public utility commissions allow prudent cybersecurity costs in rate base, so investments may be recoverable.

If You're a Water Utility

Your unique challenges:

• Limited budgets (many small municipal utilities have less than $500,000 annually for all IT/OT spending)
• Public health implications (chemical treatment sabotage could poison drinking water)
• Fragmented industry (50,000+ water systems in US with varying maturity levels)

Your priorities:

1. Focus on highest-impact assets first: chemical dosing systems, pump stations
2. Leverage federal funding: EPA WIIN Act grants, AWIA resources
3. Consider regional cooperation—neighboring water districts can share costs for security monitoring
4. Engage with WaterISAC for low-cost threat intelligence and training

Budget realism: Start with $200,000-$500,000 to secure critical assets, then expand over 3-5 years as budget allows.

If You're in Food & Agriculture

Your unique challenges:

• Perishable goods (ransomware/sabotage means immediate spoilage losses)
• Competitive margins (security costs compete with pricing pressure)
• Less regulatory oversight (no mandatory cybersecurity standards like NERC CIP)

Your priorities:

1. Inventory food safety-critical PLCs (pasteurization, refrigeration, quality control)
2. Coordinate with FDA on FSMA Intentional Adulteration compliance
3. Engage with Food & Agriculture ISAC
4. Understand cyber insurance requirements—underwriters increasingly require OT controls

Budget driver: Cyber insurance is becoming a forcing function. Expect to invest $300,000-$800,000 to maintain coverage as underwriters tighten requirements.

---

Reporting and Information Sharing

If you discover a breach or attempted intrusion, reporting helps protect not just your organization but the entire sector.

Who to Contact

CISA ICS-CERT (Industrial Control Systems Cyber Emergency Response Team):

• Email: ics-cert@cisa.dhs.gov
• Web: https://us-cert.cisa.gov/ics
• When: Within 24 hours for critical infrastructure incidents (best practice, will be mandatory under CIRCIA)
• What they provide: Incident response support, threat intelligence, coordination with law enforcement

FBI Cyber Division:

• Contact your local FBI field office
• Web: https://www.fbi.gov/investigate/cyber
• When: Immediately if criminal activity is suspected
• What they provide: Criminal investigation, attribution support, intelligence on threat actors

Sector-Specific ISACs (Information Sharing and Analysis Centers):

• E-ISAC (Energy): https://www.eisac.com
• WaterISAC (Water): https://www.waterisac.org
• Food & Ag-ISAC: https://www.foodagisac.org
• When: Ongoing for threat intelligence sharing
• What they provide: Sector-specific alerts, peer networking, best practices

What Information to Provide

When reporting incidents, include:

• VNC session logs (source IPs, timestamps, authentication attempts)
• Firewall logs showing attack traffic
• Screenshots of unauthorized changes to HMI systems
• Network packet captures (PCAPs) if available
• Any social media or Telegram posts where attackers claim responsibility
• Description of operational impact (downtime, physical damage, safety incidents)

Don't worry about having complete information—report what you know when you know it. CISA and FBI prefer timely partial information over delayed complete reports.

---

Resources for Going Deeper

Government Resources

CISA:

• Official Advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
• ICS-CERT: https://www.cisa.gov/uscert/ics
• Cross-Sector Cybersecurity Performance Goals: https://www.cisa.gov/cpg

NIST (National Institute of Standards and Technology):

• SP 800-82 Rev. 3: Guide to Operational Technology Security
• Cybersecurity Framework for Critical Infrastructure

Industry Standards

ISA/IEC 62443: Industrial Automation and Control Systems Security

• The international standard for OT security
• Provides detailed technical requirements for secure OT architecture

NERC CIP: For bulk electric system operators
AWWA Standards: For water utilities

Training and Certifications

SANS Institute:

• ICS410: ICS/SCADA Security Essentials
• ICS515: ICS Active Defense and Incident Response
• ICS456: Essentials for NERC Critical Infrastructure Protection

GIAC Certifications:

• GICSP: Global Industrial Cyber Security Professional

Threat Intelligence

Free/Low-Cost:

• CISA ICS advisories (free, subscribe at https://www.cisa.gov/uscert/ics/advisories)
• Sector ISAC membership
• Shodan monitoring (set up alerts for your ASN—Autonomous System Number)

Commercial:

• Dragos WorldView
• Claroty Team82 Research
• Mandiant OT Threat Intelligence
• Recorded Future ICS Intelligence

---

Key Takeaways

Let's summarize what you need to remember:

For System Administrators and OT Engineers:

1. Scan your perimeter today to identify internet-facing VNC services
2. Block external VNC access immediately at your firewall
3. Implement VPN or jump hosts for legitimate remote access needs
4. Network segmentation following the Purdue Model protects against lateral movement
5. Monitor and alert on VNC access attempts even after blocking them

For Business Executives and Risk Managers:

1. This threat is active now, not theoretical—CISA confirms ongoing exploitation with physical damage
2. Financial risk is quantifiable: $3-50 million per incident vs. $1-4 million to prevent
3. Regulatory consequences are severe: NERC, EPA, TSA, and CIRCIA all have enforcement teeth
4. ROI is compelling: 1.5-3.5 year payback on security investments
5. Inaction creates liability: After a CISA alert, failure to remediate demonstrates negligence

For Everyone:

The vulnerability isn't sophisticated. These attackers aren't using advanced malware or zero-day exploits—they're trying passwords on exposed systems. That means the fix isn't complicated either. Basic security hygiene—removing internet exposure, enforcing strong authentication, implementing network segmentation—eliminates 80-95% of the risk.

Don't let the perfect be the enemy of the good. You don't need to implement everything in this guide on day one. Start with the immediate actions (identify exposure, block external access), then systematically work through short-term and long-term improvements.

You're not alone. CISA, FBI, sector ISACs, and your peer organizations face the same challenges. Leverage their resources, share information, and ask for help when you need it. The government agencies issuing this alert want to help you defend—reach out to them.

---

A Final Word: Why This Matters

Critical infrastructure isn't an abstract concept—it's the water we drink, the electricity that powers hospitals, the fuel that delivers food to grocery stores. When these systems are compromised, real people are affected.

The pro-Russia hacktivist groups behind these attacks understand that. They're targeting infrastructure not because it's technically interesting, but because disrupting it undermines public confidence and creates visible consequences.

Here's the thing: you can stop them.

These aren't unstoppable adversaries with unlimited resources and advanced capabilities. They're opportunistic actors exploiting basic security gaps. When you remove internet exposure, enforce strong authentication, and implement network segmentation, they move on to easier targets.

Every water treatment plant that secures its control systems, every energy provider that segments its OT network, every food processor that implements MFA—each one makes the entire sector more resilient. The attackers are looking for low-hanging fruit. Don't be the fruit.

If you've read this far, you clearly care about protecting your organization and the communities that depend on your infrastructure. Now take that first step: identify your exposure today. The rest will follow.

---

Published: December 13, 2025

Based on: CISA Joint Cybersecurity Advisory AA25-343A (December 9, 2025)

Questions or need help? Contact CISA ICS-CERT at ics-cert@cisa.dhs.gov

---

This analysis combines technical expertise, business risk assessment, and threat intelligence to provide comprehensive guidance for defending critical infrastructure against pro-Russia hacktivist campaigns. All recommendations align with CISA guidance and industry best practices. Always test security changes in non-production environments before deploying to operational systems, and coordinate OT network modifications with operations teams to prevent unplanned outages.